CVE-2024-10240

EPSS 0.15%
Published 26.11.2024 20:15:24
Last modified 13.12.2024 01:37:16
Source cve@gitlab.com
Teams watchlist Login
Open Login

An issue has been discovered in GitLab EE affecting all versions starting from 17.3 before 17.3.7, all versions starting from 17.4 before 17.4.4, all versions starting from 17.5 before 17.5.2 in which an unauthenticated user may be able to read some information about an MR in a private project, under certain circumstances.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Gitlab ≫ Gitlab SwEditioncommunity Version >= 17.3.0 < 17.3.7

Gitlab ≫ Gitlab SwEditionenterprise Version >= 17.3.0 < 17.3.7

Gitlab ≫ Gitlab SwEditioncommunity Version >= 17.4.0 < 17.4.4

Gitlab ≫ Gitlab SwEditionenterprise Version >= 17.4.0 < 17.4.4

Gitlab ≫ Gitlab SwEditioncommunity Version >= 17.5.0 < 17.5.2

Gitlab ≫ Gitlab SwEditionenterprise Version >= 17.5.0 < 17.5.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.15%	0.355

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cve@gitlab.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

https://about.gitlab.com/releases/2024/11/13/patch-release-gitlab-17-5-2-released/#information-disclosure-through-an-api-endpoint

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/493188

Broken Link

https://nvd.nist.gov/vuln/detail/CVE-2024-10240

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-10240

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-10240

EUVD